HSCC Publishes Guidance on Healthcare Information Sharing Organizations

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on cybersecurity information sharing organizations in the healthcare sector.

HSCC is a public-private partnership of more than 200 companies and organizations, including health IT companies, medical device manufacturers, laboratories, pharmaceutical companies, health plans, payers and government agencies. Its role is to provide collaborative solutions to help mitigate cybersecurity threats affecting the healthcare industry.

The Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) is the fourth cybersecurity resource published by HSCC as mandated by the Health Care Industry Cybersecurity Task Force, which requires HSCC to help improve information sharing of industry threats, risks, and mitigations. Other resources previously published by HSCC cover healthcare industry cybersecurity best practices, developing a medical device joint security plan, and the development of a health industry cybersecurity workforce.

“Many health organizations are beginning to understand the importance of cybersecurity information sharing but don’t know where to start,” said Errol Weiss, Chief Security Officer of the Health Information Sharing and Analysis Center (H-ISAC) and co-chair of the HSCC task group responsible for the HIC-MISO toolkit. “With cyber-attacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement.”

The aim of the HIC-MISO is to help healthcare organizations understand the importance of cybersecurity information sharing and to provide the resources they need to start participating in threat sharing. The HIC-MISO is a list of the most commonly used information sharing organizations (ISOs) in the healthcare industry along with details of the services they provide.

To keep the HIC-MISO simple and manageable, it is limited to the most widely used ISOs serving the healthcare industry at a national rather than regional level. The HIC-MISO includes information on ISOs such as HITRUST, H-ISAC, HPH-SCC, and MED-ISAO, along with the mission/function of each, the services provided, and any potential costs of participation. It is aimed at healthcare organizations that do not have the resources to participate in more than one or two threat sharing groups.

HSCC advises healthcare organizations that are not currently participating in threat sharing to start small and to initially only share the most important information. As the program matures and organizations become more comfortable with threat sharing, more information can be shared, and the program can be expanded. The most important step is to get started.

The HIC-MISO is supplemented with a guide that will allow organizations establish an information management structure that is appropriate to the size of the enterprise, the resources available, and its risk profile.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.